Skip to content

chore(deps): update github artifact actions (major) #238

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): update github artifact actions (major) #238

wants to merge 1 commit into from

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Nov 3, 2025

This PR contains the following updates:

Package Type Update Change
actions/download-artifact action major v5.0.0 -> v6.0.0
actions/upload-artifact action major v4.6.1 -> v5.0.0

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Release Notes

actions/download-artifact (actions/download-artifact)

v6.0.0

Compare Source

What's Changed

BREAKING CHANGE: this update supports Node v24.x. This is not a breaking change per-se but we're treating it as such.

New Contributors

Full Changelog: actions/download-artifact@v5...v6.0.0

actions/upload-artifact (actions/upload-artifact)

v5.0.0

Compare Source

v4.6.2

Compare Source

What's Changed

  • Update to use artifact 2.3.2 package & prepare for new upload-artifact release by @​salmanmkc in #​685

New Contributors

Full Changelog: actions/upload-artifact@v4...v4.6.2

Configuration

📅 Schedule: Branch creation - "before 2am every weekday" in timezone Europe/Berlin, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added bot Automated pull requests or issues dependencies Pull requests that update a dependency file renovate Pull requests from Renovate skip:test:long_running Skip long-running tests (≥5min) labels Nov 3, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Nov 3, 2025
edited
Loading

Claude finished @renovate[bot]'s task —— View job

PR Review: GitHub Artifact Actions Update

Reviewing Renovate PR #238 for major version updates to GitHub artifact actions.

Todo List

  • Read .github/CLAUDE.md for CI/CD standards
  • Review all 8 changed workflow files
  • Analyze release notes for breaking changes
  • Verify artifact usage patterns are compatible
  • Check workflow syntax and structure
  • Provide comprehensive review feedback

✅ Review Summary

This Renovate PR updates GitHub artifact actions to their latest major versions. The changes are SAFE TO MERGE with no breaking API changes.

Changes Overview

8 workflow files updated:

  • _audit.yml
  • _build-native-only.yml
  • _ketryx_report_and_check.yml (2 download-artifact calls)
  • _package-publish.yml (4 artifact calls)
  • _scheduled-audit.yml
  • _scheduled-test-daily.yml
  • _scheduled-test-hourly.yml
  • _test.yml

Version Updates:

  • actions/upload-artifact: v4.6.1 → v5.0.0 (+5 files)
  • actions/download-artifact: v5.0.0 → v6.0.0 (+3 files)

Breaking Changes Analysis

upload-artifact v5.0.0

  • Primary change: Node v24.x support
  • API compatibility: ✅ No API changes required
  • Current usage: All usage patterns remain valid

download-artifact v6.0.0

  • Primary change: Node v24.x support
  • API compatibility: ✅ No API changes required
  • Current usage: All usage patterns remain valid
  • Dependency: Bumps @actions/artifact to v4.0.0

Workflow Compatibility Check

All artifact usage patterns verified compatible:

Upload patterns (5 occurrences):

- uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
  with:
    name: <artifact-name>
    path: <file-paths>
    retention-days: <1|7|30>

Download patterns (4 occurrences):

- uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
  with:
    name: <artifact-name>
    path: <destination-path>

Download with pattern matching (1 occurrence):

- uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
  with:
    pattern: dist_native-*
    path: dist_native_all/
    merge-multiple: false

All parameters used (name, path, pattern, merge-multiple, retention-days) remain supported in the new versions.

Security Review

SHA-pinned actions with version comments:

  • actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
  • actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0

No workflow permissions changes

No secret exposure risks

Medical Device Compliance

Ketryx workflow compatibility verified:

  • Artifact downloads in _ketryx_report_and_check.yml work with v6.0.0
  • SBOM and test result artifacts properly handled
  • Compliance reporting unaffected

BetterStack heartbeat monitoring:

  • No impact on scheduled workflow monitoring
  • Artifact uploads in scheduled jobs remain functional

CI/CD Impact Assessment

Affected workflows:

  1. Main CI/CD pipeline (ci-cd.yml) - Calls all affected reusable workflows
  2. Audit pipeline - Uses upload-artifact v5.0.0
  3. Test pipelines - Use upload-artifact v5.0.0
  4. Package publishing - Uses both upload v5.0.0 and download v6.0.0
  5. Native builds - Use upload-artifact v5.0.0
  6. Ketryx reporting - Uses download-artifact v6.0.0
  7. Scheduled jobs (3 workflows) - Use upload-artifact v5.0.0

Risk assessment:LOW RISK

  • No functional API changes
  • All usage patterns remain valid
  • Node v24.x support improves future compatibility
  • SHA-pinned versions ensure deterministic behavior

Testing Recommendations

Since this PR only updates dependency versions with no functional changes:

Add label: skip:test:long_running to save CI time (Renovate PRs should not need this, but recommended)

Verify in CI:

  • Lint and audit should pass ✓
  • Unit/integration tests should pass ✓
  • Artifact upload/download in test workflows should work ✓

Recommendations

  1. Merge this PR - Changes are safe and maintain compatibility
  2. Monitor first CI run - Verify artifacts upload/download successfully
  3. No code changes needed - All usage patterns remain valid
  4. ℹ️ Future benefit - Node v24.x support prepares for GitHub Actions runner updates

Adherence to Repository Standards

Follows .github/CLAUDE.md guidelines:

  • Reusable workflow pattern maintained
  • Artifact naming conventions preserved
  • Retention policies unchanged (1/7/30 days appropriate)
  • BetterStack heartbeat compatibility verified

No architectural violations:

  • No changes to workflow logic
  • Only dependency version updates
  • SHA pinning maintained for security

Final Verdict

✅ APPROVED - SAFE TO MERGE

This is a clean dependency update with no breaking API changes. The "major" version designation reflects Node v24.x support, not functional changes. All artifact upload/download patterns in the repository remain fully compatible.

Action: Merge when CI passes.

@codecov
Copy link

codecov bot commented Nov 3, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ All tests successful. No failed tests found.

❌ Your project check has failed because the head coverage (62.91%) is below the target coverage (70.00%). You can increase the head coverage or adjust the target coverage.
see 20 files with indirect coverage changes

@sonarqubecloud
Copy link

sonarqubecloud bot commented Nov 3, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@helmut-hoffer-von-ankershoffen helmut-hoffer-von-ankershoffen Awaiting requested review from helmut-hoffer-von-ankershoffen helmut-hoffer-von-ankershoffen is a code owner

Assignees

No one assigned

Labels

bot Automated pull requests or issues dependencies Pull requests that update a dependency file renovate Pull requests from Renovate skip:test:long_running Skip long-running tests (≥5min)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant